Crypto change Coinbase has confirmed that it was briefly compromised by the identical attackers that focused Twilio, Cloudflare, DoorDash, and greater than 100 different organizations final 12 months.
In a post-mortem of the incident printed over the weekend, Coinbase stated that the so-called ‘0ktapus’ hackers stole the login credentials of one among its workers in an try and remotely achieve entry to the corporate’s programs.
0ktapus is a hacking group that has focused greater than 130 organizations in 2022 as a part of an ongoing effort to steal the credentials of 1000’s of workers, usually by impersonating Okta log-in pages. That determine of 130 organizations is now probably a lot greater, as a leaked Crowdstrike report seen by ClassyBuzz claims that the gang is now concentrating on a number of tech and online game firms.
Within the case of Coinbase, the 0ktapus hackers first despatched spoofed SMS textual content messages to a number of workers on February 5 advising that they wanted to log in urgently utilizing the hyperlink offered to obtain an necessary message. One worker adopted the phishing hyperlink and entered their credentials. Within the subsequent part, the attacker tried to log into Coinbase’s inside programs utilizing the stolen credentials however failed as a result of entry was protected with multi-factor authentication.
Some 20 minutes later, the attacker used voice phishing, or “vishing,” to name the worker claiming to be from the Coinbase IT crew, and directed the sufferer to log into their workstation. This allowed the attacker to view worker information, together with names, e mail addresses and telephone numbers.
“A risk actor was in a position to view the dashboard of a small variety of inside Coinbase communication instruments and entry restricted worker contact information,” Coinbase spokesperson Jaclyn Gross sales advised ClassyBuzz. “The risk actor was in a position to see, by means of a display share, sure views of inside dashboards and accessed restricted worker contact information.”
Nonetheless, Coinbase says its safety crew responded shortly, stopping the risk accessor from accessing buyer knowledge or funds. “Our safety crew was in a position to detect uncommon exercise shortly and forestall another entry to inside programs or knowledge,” Gross sales added.
Coinbase stated no buyer knowledge was accessed, however the firm’s chief information safety officer Jeff Lunglhofer stated he recommends that customers contemplate switching to {hardware} safety keys for stronger account entry, however didn’t say whether or not it makes use of {hardware} keys internally, which can’t be phished.
